PeopleSoft IT General Controls

Save this PDF as:
Size: px
Start display at page:

Download "PeopleSoft IT General Controls"

Transcription

1 PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee and oversees the City s Comprehensive Annual Financial Report (CAFR). The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher Robert Haddock Charles Husted Timothy O Brien Maurice Goodgaine Jeffrey Hart Bonney Lopez Audit Staff John Carlson, Deputy Audit Director, JD, CIA, CICA Stephen E. Coury, IT Audit Supervisor, CISA Robert Pierce, Lead IT Auditor, CISA Aaron Pratt, Senior IT Auditor, CISA Brandon Blomquist, Staff IT Auditor You can obtain free copies of this report by contacting us at: Office of the Auditor 201 W. Colfax Avenue, Dept. 705 Denver CO, (720) Fax (720) Or view an electronic copy by visiting our website at:

3 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Ave., Dept. 705 Denver, Colorado FAX December 17, 2009 Molly Rauzi, Chief Information Officer Technology Services City and County of Denver Claude Pumilia, Chief Financial Officer Department of Finance City and County of Denver Dear Ms. Rauzi and Mr. Pumilia: Attached is the Auditor s Office Audit Services Division s report of their audit of PeopleSoft IT General Controls for the period of October 1, 2008 through September 30, The purpose of the audit was to examine and assess the IT general controls related to the PeopleSoft Human Resources and Financial Management applications to ensure they provide sound foundations to support the proper operating and security of these information systems. Audit work focused on change control, security settings, access management, and operations as they pertain to the PeopleSoft Human Resources and Financial Management applications. The audit revealed deficiencies in the process for disabling systems access of terminated employees as well as the need for process improvements to help ensure system password settings are effective. The audit also identified a need to perform a disaster recovery test for the PeopleSoft Human Resources and Financial Management applications. If you have any questions, please call Kip Memmott, Director of Audit Services, at Sincerely, Dennis Gallagher Auditor DJG/ect cc: Honorable John Hickenlooper, Mayor Honorable Members of City Council Members of Audit Committee Ms. Roxane White, Chief of Staff Mr. David T. Roberts, Chief Services Officer Mr. David Fine, City Attorney Mr. L. Michael Henry, Staff Director, Board of Ethics Ms. Lauri Dannemiller, City Council Executive Staff Director Ms. Beth Machann, Controller Mr. Al Rosabal, Deputy Chief Information Officer To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

4 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Ave., Dept. 705 Denver, Colorado FAX AUDITOR S REPORT We have completed an audit of PeopleSoft IT General Controls for the period of October 1, 2008 through September 30, The purpose of the audit was to examine and assess the IT general controls related to the PeopleSoft Human Resources and Financial Management applications to ensure they provide sound foundations to support the proper operating and security of these information systems. Audit work focused on change control, security settings, access management, and operations as they pertain to the PeopleSoft Human Resources and Financial Management applications. This audit was included in the Auditor s Office Audit Services Division s 2009 Annual Audit Plan and is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit revealed deficiencies in the process for disabling systems access of terminated employees as well as the need for process improvements to help ensure system password settings are effective. The audit also identified a need to perform a disaster recovery test for the PeopleSoft Human Resources and Financial Management applications. We extend our appreciation to the personnel who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CICA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

5 TABLE OF CONTENTS EXECUTIVE SUMMARY 1 INTRODUCTION & BACKGROUND 3 What is PeopleSoft? 3 What are IT General Controls (ITGCs)? 3 SCOPE 6 OBJECTIVES 7 METHODOLOGY 8 FINDING 1 9 Procedures for Removing System Access Are Not Fully Effective 9 FINDING 2 10 Password and Physical Access Controls Are Not Consistently Aligned with City Policies and Procedures 10 FINDING 3 12 Disaster Recovery Procedures Are Not Tested on a Periodic Basis 12 AGENCY RESPONSE 13

6

7 EXECUTIVE SUMMARY Audit work revealed deficiencies in the process for disabling systems access of terminated employees as well as the need for process improvements to help ensure system password settings are effective. The audit also identified a need to perform a disaster recovery test for the PeopleSoft Human Resources and Financial Management applications. These deficiencies were found in three of the four areas of Information Technology General Controls (ITGCs) reviewed for the PeopleSoft application and supporting infrastructure. The three areas with deficiencies were access management, security settings, and operations. No deficiencies were found based on the testing we performed in the change control area. Access Management Through the use of Computer Assisted Auditing Techniques (CAATs) we independently matched terminated employees to the full database of 11,159 active network accounts and found that 76 former employees (over 6% of the 1,235 terminated) from 16 agencies still had active network accounts. Further analysis of the 76 terminated employee accounts showed that 14 had accessed City systems after termination. These users had much of the same access as if they were still a current employee. We also found that eight had the capability to connect remotely to the City network from outside City facilities. Of those eight with remote access, three had logged in subsequent to termination. The failure to disable the login accounts of terminated employees exposes City information systems and data to unauthorized modification, disclosure or destruction. Security Settings Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have adequate controls over their passwords. It is important that users follow good password practices as set by management. Passwords provide the primary control over user access to computer resources and their effectiveness tends to diminish over time. A lack of security parameters weakens security controls, which could lead to unauthorized access to the system and the subsequent disclosure, misuse and/or destruction of City data. Specifically, these security weaknesses could result in unauthorized individuals gaining access to the system and possibly changing, modifying, or deleting sensitive system files, or viewing confidential documents stored within the information systems environment. Audit work also identified data center access cards that were not assigned to specific authorized persons. Without full accountability for who has access to the data centers, unknown persons could cause system disruption, physical damage or steal valuable assets. P a g e 1 Office of the Auditor

8 Operations Business owners and Technology Services have not performed a test of the existing disaster recovery plan supporting PeopleSoft and its supporting infrastructure within the last year. Hardware, software, and personnel changes occurring over time could cause parts of the plan to become obsolete. Without periodic testing there is a risk that the disaster recovery plan will not work properly when needed. City and County of Denver P a g e 2

9 INTRODUCTION & BACKGROUND What is PeopleSoft? The City and County of Denver uses the PeopleSoft Enterprise system for a variety of key business functions, such as, Human Resources (Payroll, Employee Benefits, Time and Labor) and Financials (General Ledger, Purchasing, Payables, Projects and Grants, Asset Management). PeopleSoft is an Enterprise Resource Planning (ERP) system that allows for integration of business functions and a single access control model. Although many city agencies use the various PeopleSoft modules, we identified the Office of the Controller as a key business owner and user of PeopleSoft. The Technology Services organization provides the technical support and IT general controls environment for PeopleSoft through its Enterprise Applications Services and Operations groups. What are IT General Controls (ITGCs)? Information Technology General Controls (ITGCs) are those behind the scenes controls that serve as the foundation for the proper operating and security of information systems. They help to ensure the operational and data integrity upon which City systems rely. ITGCs interact with each other like pieces in a puzzle. Each control process supports the others and without one, the control structure is incomplete. Following are descriptions the ITGC areas of Change Control, Security Settings, Access Management, and Operations. P a g e 3 Office of the Auditor

10 Change Control Strong procedures over change control ensure that changes introduced into production are authorized and tested to maintain the integrity and availability of both software applications and data. To ensure the PeopleSoft systems operate as intended and continue to operate without disruption, the City tests and implements changes through three separate processing environments known as Test, Quality Assurance, and Production. Effective change controls provide for separation of duties between software developers, system testers, and production users. The software developer makes system changes in the Test environment but cannot implement the changes into production. Persons other than the software developer perform software testing functions in the Quality Assurance environment. After approval by the requesting party or business owner, the change is then implemented into the Production environment. Controls that provide a separation of duties ensure that no single person can implement a change into production. The processing and testing of changes through the three environments of Test, Quality Assurance and Production helps to ensure that changes are authorized, tested, and approved. The overall result of these controls helps to preserve the integrity of the production environment s system and data, and prevents unnecessary disruption of production systems. City and County of Denver P a g e 4

11 Security Settings There are four levels of security controls for the PeopleSoft application: the Application Level, the Database Level, the Operating System Level, and the Physical Security Level. Application Level Users can login to PeopleSoft in one of two ways. Most access the system via a Web interface that uses their general network ID and password. Some sign directly onto PeopleSoft using an ID and password separate from their network credentials, which are stored and maintained within PeopleSoft itself. Application Level security settings affect the design and functioning of login IDs and passwords for direct logins, such as their minimum length and how often they must be changed. Changing passwords periodically helps prevent unauthorized system access through compromised passwords. Database Level The PeopleSoft application stores data in an Oracle database. Database Administrators perform configuration and maintenance of the database. These individuals have highly privileged access, including the capability to modify data if necessary outside of the application controls. The IDs and passwords at this level are controlled by settings within the Oracle database. Again, changing passwords periodically helps prevent unauthorized system access through compromised passwords. Operating System Level Both the PeopleSoft application and the Oracle database run on servers controlled by the AIX operating system. System Administrators configure servers to support the integrity and protection of the data. System Administrators can have local accounts on the server that are separate from their general network logins. Password controls over these local accounts are configured in the AIX operating system. Changing passwords periodically helps protect unauthorized system access in the event passwords are unknowingly compromised. Sometimes System Administrators need to access the server through a special built-in account called root which has the proverbial keys to the kingdom. As root does not require identification of the user, there is no accountability for who P a g e 5 Office of the Auditor

12 uses it. The root password should be changed periodically and changed immediately when anyone knowing the password transfers out of the department or terminates employment with the City. Physical Security Level The physical servers that support all the aforementioned levels reside in a protected data center. Proximity badge readers control access to the data center. The City issues access security cards to authorized individuals. These individuals scan the cards by a specialized reader mounted near the door, which verifies the card and unlocks the door accordingly. As the card is the sole control for physical access, a person should have only one card and every card should be registered to a known and authorized individual. Access Management Employees are granted access rights to the City s information systems upon being hired. Job requirements determine specific access rights and such rights are modified when job responsibilities change. Access is disabled or removed when individuals terminate their employment with the City. These controls are designed to ensure that only authorized individuals have access to City systems and data and that such access is limited according to their specific job requirements. Operations Controls over operations of systems help to ensure the confidentiality, integrity, and availability of information systems. These controls include regularly backing up system data, storing backup media offsite, and regularly testing system recovery capability in the event of a disaster. SCOPE The audit examined and evaluated IT general controls related to the City s PeopleSoft Human Resources and Financial Management applications. The audit tested IT general controls in the areas of change control, security settings, access management, and operations. The audit focused on agencies that directly use PeopleSoft and are supported by Technology Services, which excludes the Denver International Airport. The audit period extended from October 1, 2008 through September 30, City and County of Denver P a g e 6

13 OBJECTIVES Audit objectives included evaluating the Information Technology General Controls for the following areas: Change controls providing separation of processing environments for test, quality assurance, and production, and separation of duties for the roles of software developers, system testers, and end users. Including system changes being authorized, tested, and approved before implemented into production. Security settings limiting access to authorized individuals for PeopleSoft at the application, database, operating system, and physical security levels. Access management controls ensuring employee access is limited to specific job functions and access to City systems and data is removed when individuals terminate their employment with the City. Operational controls providing for system backup and recovery capability for the PeopleSoft applications. P a g e 7 Office of the Auditor

14 METHODOLOGY We utilized multiple methodologies to achieve audit objectives. These evidence gathering and analysis techniques included, but were not limited to: Interviewing personnel in the Controller s Office and Technology Services and reviewing selected policies and procedures related to PeopleSoft and its infrastructure. Independently executing queries to obtain complete populations of new and changed users within PeopleSoft and testing for supervisor approval. Utilizing Computer Assisted Auditing Techniques (CAATs) to compare the population of 1,235 employees terminated during the audit period to the entire population of 11,159 Active Directory accounts, and the population of 13,068 employees with access to PeopleSoft. Directly observing physical access controls in place at the data centers and ensuring that none of the 1,235 terminated employees had access to the data centers supporting the PeopleSoft application. Observing the execution of queries to obtain a complete population of changed database objects for the Human Resources and Financial Management applications. Changed objects included software patches, HR tax updates, salary grade changes, benefit selections, stimulus grant reporting, and changes to access privileges. Independently testing a sample of changes from the Human Resources and Financial Management applications using Stat, the change and access management tool used by Technology Services. Directly observing environmental controls in place at the data centers supporting the PeopleSoft application through onsite inspection and examination of maintenance records. Examining evidence of backup and off-site storage of media. Obtaining access to Active Directory Users and Computers (ADUC) for examining login account access and information. Executing scripts to extract system and password configuration settings for the infrastructure supporting PeopleSoft (Oracle database and AIX servers). Verifying that default passwords have been changed on highly privileged accounts for the Oracle database and AIX operating system. City and County of Denver P a g e 8

15 FINDING 1 Procedures for Removing System Access Are Not Fully Effective Through the use of Computer Assisted Auditing Techniques (CAATs) we independently matched terminated employees to the full database of 11,159 active network accounts 76 Terminated Employees Still Had Active Network Login Accounts and found that 76 former employees (over 6% of the 1,235 terminated) from 16 agencies still had active network accounts. One of the 76 still had access to PeopleSoft. Further analysis of the 76 terminated employee accounts showed that 14 had accessed City systems after termination. These users had much of the same access as if they were still a current employee. We also found that eight had the capability to connect remotely to the City network from outside City facilities. Of those eight with remote access, three had logged in subsequent to termination. The failure to disable the login accounts of terminated employees exposes City information systems and data to unauthorized modification, disclosure or destruction. The number of terminations used above (1,235) occurred during the audit scope period of October 1, 2008 through September 30, The actual number of terminated employees with active network accounts may increase if the time period were expanded to include prior years. Recommendations Terminated Employees with Active Logins Type Number of Employees Terminated Employees 1,235 Active Login Accounts 76 Accessed Since Termination 14 Remote Access Capability 8 Accessed since termination and have Remote Access Have Access to PeopleSoft 1 3 Working with the Controller s Office, we recommend that Technology Services: 1. Investigate and immediately deactivate all terminated employee login accounts, including those from prior years. 2. Determine the root cause for the breakdown within the termination process. 3. Revise procedures to improve the effectiveness of the termination process. 4. Add compensating controls to support the revised termination procedures. For example, scanning inactive accounts or adopting a periodic comparison of active accounts against terminated employees. 5. Consider the implementation of more sophisticated or automated access management tools. P a g e 9 Office of the Auditor

16 FINDING 2 Password and Physical Access Controls Are Not Consistently Aligned with City Policies and Procedures Some users with access to PeopleSoft, Oracle, or the AIX operating system do not have adequate controls over their passwords. It is important that users follow good password practices as set by management. Passwords provide the primary control over user access to computer resources and their effectiveness tends to diminish over time. By requiring periodic passwords changes, the City will reduce risk of unauthorized access to applications and the information stored within them. A password character setting requiring too few characters can result in more easily guessed passwords, and an undefined threshold of bad password attempts could result in users continued attempts to access unauthorized systems without having their ID suspended. A lack of security parameters weakens security controls, which could lead to unauthorized access to the system and the subsequent disclosure, misuse and/or destruction of City data. Specifically, these security weaknesses could result in unauthorized individuals gaining access to the system and possibly changing, modifying, or deleting sensitive system files, or viewing confidential documents stored within the information systems environment. PeopleSoft Password Controls are not configured for users authenticating outside of Active Directory The majority of PeopleSoft users authenticate (gain access) to PeopleSoft using their Active Directory user ID and password. However, there are 43 users that access PeopleSoft outside of the Active Directory authentication. As a result, these users do not follow the Active Directory required password settings. Permitting access to PeopleSoft without using Active Directory password controls allows users to circumvent the Active Directory password requirements. There are no password requirements configured in PeopleSoft for users that do not authenticate through Active Directory. Inadequate Password Controls for Oracle Accounts Audit work reviewed password controls related to Oracle databases supporting PeopleSoft HR and Financials and determined that no password controls are enabled for Oracle user accounts. Inadequate password controls could lead to unauthorized individuals gaining access to the system and possibly changing, modifying, or deleting sensitive system files, key financial data/programs or viewing confidential documents stored within the Oracle environment. Password Controls Not Enforced for AIX Administrative and User Accounts During our review of the AIX servers hosting Oracle databases for PeopleSoft HR and Financials, audit work found that highly privileged administrative accounts as well as 18 user accounts for HR and 20 user accounts for Financials do not meet City and County of City and County of Denver P a g e 10

17 Denver Acceptable Use Agreement or password standards. We reviewed AIX files indicating the last password change date for accounts and noted highly privileged administrative and user accounts without any forced password change date. Some highly privileged accounts have not had their password changed since Unaccountable Physical Access to Data Center In addition to issues involving password control weaknesses, audit work also identified data center access cards that were not assigned to specific authorized persons. Without full accountability for who has access to the data centers, unknown persons could cause system disruption, physical damage or steal valuable assets. The majority of ID cards which grant access to the City s data centers are logged in the C*Cure system with a unique card number. Audit reviewed C*Cure access listings for two data centers and noted the following: Recommendations Four active cards on the data center access lists that had no identifiable card number. Five cards within the C*Cure system had no employee or contractor listed as the card owner. Six test cards were still active. Four individuals were assigned multiple cards with access to one or both of the data centers. We recommend that Technology Services: 1. Enforce Established Password Controls Technology Services should configure password requirements within PeopleSoft software, Oracle databases, and AIX operating systems to ensure that all users follow City and County of Denver password requirements outlined in the Acceptable Use Policy. An excerpt of the Acceptable Use Policy relating to password requirements is listed below: Users shall construct passwords with at least eight (8) characters, including three of the following four character types: upper case alphabetic, lower case alphabetic, numeric, special characters (symbols, punctuation marks). For additional security, Users are recommended to create pass phrases that contain at least fifteen (15) characters. Passwords are case sensitive. Passwords will expire after 90 days and Users will not be permitted to reuse any of the last fifteen (15) passwords used. After five (5) failed login attempts, the User s account will be disabled. The User must then personally contact Technology Services to manually reset their account. 2. Overhaul Data Center Access Lists We recommend Technology Services remove data center access from all cards which are not identifiable by card number or assigned to an individual. Technology Services P a g e 11 Office of the Auditor

18 should complete a review of all cards with access to the City s data centers for appropriateness and consider establishing formal, regular review procedures for physical access listings. Review procedures should identify and remedy: inactive badges, badges belonging to transferred or terminated personnel, duplicate IDs, and any inappropriate access not commensurate with a user s job function. FINDING 3 Disaster Recovery Procedures Are Not Tested on a Periodic Basis Business owners and Technology Services have not performed a test of the existing disaster recovery plan supporting PeopleSoft and its supporting infrastructure within the last year. Testing is an essential part of disaster recovery planning. An effective disaster recovery plan requires testing on a periodic basis, or there is a risk that the plan will not work when needed. Recommendation 1. Coordinating with business owners, Technology Services should perform regular tests of the City s disaster recovery capability for the PeopleSoft applications and supporting infrastructure. The frequency of such tests should be dictated by system criticality, and should occur at least every 12 to 18 months. City and County of Denver P a g e 12

19 AGENCY RESPONSE P a g e 13 Office of the Auditor

20 City and County of Denver P a g e 14

21 P a g e 15 Office of the Auditor

22 City and County of Denver P a g e 16

23 P a g e 17 Office of the Auditor

911 Data Center Operations Performance Audit

911 Data Center Operations Performance Audit 911 Data Center Operations Performance Audit June 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

Citywide Identity Management Follow up Report

Citywide Identity Management Follow up Report Citywide Identity Management Follow up Report July 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

The Department of General Services Contract Administration Follow up Report

The Department of General Services Contract Administration Follow up Report The Department of General Services Contract Administration Follow up Report June 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of

More information

Network Security Management Phases 1 and 2 Follow up Report

Network Security Management Phases 1 and 2 Follow up Report Network Security Management Phases 1 and 2 Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

DIA Network Security Management Follow up Report

DIA Network Security Management Follow up Report DIA Network Security Management Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

DIA Information Security Management Performance Audit

DIA Information Security Management Performance Audit DIA Information Security Management Performance Audit November 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

Citywide Social Media Usage Follow-up Report

Citywide Social Media Usage Follow-up Report Citywide Social Media Usage Follow-up Report May 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

Fixed Assets Management Performance Audit

Fixed Assets Management Performance Audit Fixed Assets Management Performance Audit May 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

City Attorney s Office: Litigation and Claims Management Follow-up Report

City Attorney s Office: Litigation and Claims Management Follow-up Report City Attorney s Office: Litigation and Claims Management Follow-up Report April 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

FOLLOW-UP REPORT Change Management Practices

FOLLOW-UP REPORT Change Management Practices FOLLOW-UP REPORT Change Management Practices May 2016 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA The Auditor of the City and County of Denver is independently

More information

DIA Network Device Security Management Performance Audit

DIA Network Device Security Management Performance Audit DIA Network Device Security Management Performance Audit June 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Police Records Management System IT General Controls Follow up Report

Police Records Management System IT General Controls Follow up Report Police Records Management System IT General Controls Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City

More information

Assessor s Office Performance Audit

Assessor s Office Performance Audit Assessor s Office Performance Audit June 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Denver 311 Follow up Report

Denver 311 Follow up Report Denver 311 Follow up Report December 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Citywide Records Management Performance Audit

Citywide Records Management Performance Audit Citywide Records Management Performance Audit August 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

Department of Public Utilities Customer Information System (BANNER)

Department of Public Utilities Customer Information System (BANNER) REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology

More information

Police Records Management System IT General Controls Performance Audit

Police Records Management System IT General Controls Performance Audit Police Records Management System IT General Controls Performance Audit December 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

Citywide Identity Management Performance Audit

Citywide Identity Management Performance Audit Citywide Identity Management Performance Audit March 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

The City of New York

The City of New York The Policy All passwords and personal identification numbers (PINs) used to protect City of New York systems shall be appropriately configured, periodically changed, and issued for individual use. Scope

More information

Mobile Devices Performance Audit

Mobile Devices Performance Audit Mobile Devices Performance Audit August 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Career Service Authority Recruiting Process Performance Audit

Career Service Authority Recruiting Process Performance Audit Career Service Authority Recruiting Process Performance Audit August 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR

More information

Network Security Management Phase 1 Performance Audit

Network Security Management Phase 1 Performance Audit Network Security Management Phase 1 Performance Audit March 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

FLORIDA ACCOUNTING INFORMATION RESOURCE SUBSYSTEM

FLORIDA ACCOUNTING INFORMATION RESOURCE SUBSYSTEM REPORT NO. 2010-021 OCTOBER 2009 DEPARTMENT OF FINANCIAL SERVICES FLORIDA ACCOUNTING INFORMATION RESOURCE SUBSYSTEM Information Technology Operational Audit For the Period July 1, 2008, Through June 30,

More information

Richmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011

Richmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011 REPORT # 2012-10 AUDIT Of the TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction.......... 1 Background........ 2 Conclusion........ 3 Recommendations........

More information

OFFICE OF THE AUDITOR

OFFICE OF THE AUDITOR OFFICE OF THE AUDITOR DEPARTMENT OF AVIATION INTERNAL CONTROL REVIEW AND CONTRACT COMPLIANCE AUDIT NOVEMBER 2007 Dennis J. Gallagher Auditor Dennis J. Gallagher Auditor Mr. Turner West, Manager Department

More information

Department of Agriculture. Network Security Controls. Information Technology Audit

Department of Agriculture. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL

More information

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000.

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098. May 23, 2000. U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Memorandum ACTION: Report on Computer Security Controls of Financial Management System, FTA FE-2000-098

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of

More information

CASE MANAGEMENT SYSTEM

CASE MANAGEMENT SYSTEM REPORT NO. 2010-197 JUNE 2010 PUBLIC SERVICE COMMISSION CASE MANAGEMENT SYSTEM Information Technology Operational Audit For the Period December 2009 Through March 2010 and Selected Actions from January

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/ Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system

More information

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452 Mecklenburg County Department of Internal Audit PeopleSoft Application Security Audit Report 1452 February 9, 2015 Internal Audit s Mission Through open communication, professionalism, expertise and trust,

More information

Department of Education. Network Security Controls. Information Technology Audit

Department of Education. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Education Network Security Controls Information Technology Audit May 5, 2010 Report 10-17 FINANCIAL

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

NEW HAMPSHIRE RETIREMENT SYSTEM

NEW HAMPSHIRE RETIREMENT SYSTEM NEW HAMPSHIRE RETIREMENT SYSTEM Auditors Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance With Government

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Evaluation Report The Department's Unclassified Cyber Security Program 2011 DOE/IG-0856 October 2011 Department of

More information

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT FOLLOW UP REVIEW TO AUDIT OF COURTROOM AUTOMATION Karleen F. De Blaker Clerk of the Circuit Court Ex officio County Auditor Robert W. Melton, CPA*, CIA,

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION The Office of Research, Analysis, and Statistics Needs to Address Computer Security Weaknesses September 17, 2008 Reference Number: 2008-20-176 This report

More information

Information Technology General Controls (ITGCs) 101

Information Technology General Controls (ITGCs) 101 Information Technology General Controls (ITGCs) 101 Presented by Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Internal Audit Webinar Series Webinar Agenda

More information

Audit Committee. Audit Staff

Audit Committee. Audit Staff The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring

More information

Audit Report. Information Technology Email Service. May 2014. Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT

Audit Report. Information Technology Email Service. May 2014. Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT Audit Report AUDIT DEPARTMENT Information Technology Email Service May 2014 Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT COMMITTEE: Commissioner Steve Sisolak Commissioner Chris Giunchigliani

More information

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology 6G Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology TABLE OF CONTENTS Page Report on Internal Controls Related to Information Technology Network and Network Security 1

More information

Information System Audit Report Office Of The State Comptroller

Information System Audit Report Office Of The State Comptroller STATE OF CONNECTICUT Information System Audit Report Office Of The State Comptroller AUDITORS OF PUBLIC ACCOUNTS KEVIN P. JOHNSTON ROBERT G. JAEKLE TABLE OF CONTENTS EXECUTIVE SUMMARY...1 AUDIT OBJECTIVES,

More information

OFFICE OF THE CITY CONTROLLER

OFFICE OF THE CITY CONTROLLER OFFICE OF THE CITY CONTROLLER INFORMATION TECHNOLOGY DEPARTMENT ENTERPRISE RESOURE PLANNING (SAP) SECURITY LIMITED REVIEW PERFORMANCE AUDIT Ronald C. Green, City Controller David A. Schroeder, City Auditor

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Denver International Airport Planning and Development Division Performance Audit

Denver International Airport Planning and Development Division Performance Audit Denver International Airport Planning and Development Division Performance Audit June 2013 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor

More information

Security and Control Issues within Relational Databases

Security and Control Issues within Relational Databases Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats

More information

Network Security Management Phase 2 Performance Audit

Network Security Management Phase 2 Performance Audit Network Security Management Phase 2 Performance Audit July 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

The Department of General Services Contract Administration Performance Audit

The Department of General Services Contract Administration Performance Audit The Department of General Services Contract Administration Performance Audit August 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS

AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF COMMUNITY HEALTH AUTOMATED MEDICAID PROCESSING SYSTEM (CHAMPS) CLAIMS EDITS DEPARTMENT OF COMMUNITY HEALTH AND DEPARTMENT OF TECHNOLOGY,

More information

Department of Public Safety and Correctional Services Information Technology and Communications Division

Department of Public Safety and Correctional Services Information Technology and Communications Division Audit Report Department of Public Safety and Correctional Services Information Technology and Communications Division March 2008 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND

More information

STATE OF CONNECTICUT

STATE OF CONNECTICUT STATE OF CONNECTICUT AUDITORS' REPORT CORE-CT SYSTEM INFORMATION TECHNOLOGY SECURITY AUDIT AS OF NOVEMBER 2014 AUDITORS OF PUBLIC ACCOUNTS JOHN C. GERAGOSIAN ROBERT M. WARD Table of Contents INTRODUCTION...

More information

External Penetration Assessment and Database Access Review

External Penetration Assessment and Database Access Review External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management

More information

STATE OF ARIZONA Department of Revenue

STATE OF ARIZONA Department of Revenue STATE OF ARIZONA Department of Revenue Douglas A. Ducey Governor September 25, 2015 David Raber Director Debra K. Davenport, CPA Auditor General Office of the Auditor General 2910 North 44 th Street, Suite

More information

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015 July 2015 Information Technology Operational Audit DEPARTMENT OF STATE Florida Voter Registration System (FVRS) Sherrill F. Norman, CPA Auditor General Secretary of State Section 20.10, Florida Statutes,

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY

More information

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government

Department of Information Technology Remote Access Audit Final Report. January 2010. promoting efficient & effective local government Department of Information Technology Remote Access Audit Final Report January 2010 promoting efficient & effective local government Background Remote access is a service provided by the county to the Fairfax

More information

Department of Transportation Office of Transportation Technology Services

Department of Transportation Office of Transportation Technology Services Audit Report Department of Transportation Office of Transportation Technology Services October 2005 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Denver International Airport Airport Legal Services Section Performance Audit

Denver International Airport Airport Legal Services Section Performance Audit Denver International Airport Airport Legal Services Section Performance Audit July 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

CITY OF BOULDER *** POLICIES AND PROCEDURES

CITY OF BOULDER *** POLICIES AND PROCEDURES CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of

More information

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011 O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Vulnerability Management Information Technology Audit For the Period July 2010 to July 2011 May 22, 2012 Report

More information

Second Follow-up Audit Report on Department of Education Internal Controls Over Its Data Center 7F04-137

Second Follow-up Audit Report on Department of Education Internal Controls Over Its Data Center 7F04-137 Second Follow-up Audit Report on Department of Education Internal Controls Over Its Data Center 7F04-137 September 27, 2004 THE CITY OF NEW YORK OFFICE OF THE COMPTROLLER 1 CENTRE STREET NEW YORK, N.Y.

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report

Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report November 2006 promoting efficient & effective local government Executive Summary The Department

More information

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015 Solihull Metropolitan Borough Council IT Audit Findings Report September 2015 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control

More information

OFFICE OF THE CITY AUDITOR

OFFICE OF THE CITY AUDITOR OFFICE OF THE CITY AUDITOR AUDIT OF THE VITAL STATISTICS BIRTH AND DEATH CERTIFICATE IMAGING SYSTEM Paul T. Garner Assistant City Auditor Prepared by: Tony Aguilar, CISA Sr. IT Auditor Bill Steer, CPA,

More information

Performance Audit E-Service Systems Security

Performance Audit E-Service Systems Security Performance Audit E-Service Systems Security October 2009 City Auditor s Office City of Kansas City, Missouri 15-2008 October 21, 2009 Honorable Mayor and Members of the City Council: This performance

More information

DATA CENTER OPERATIONS

DATA CENTER OPERATIONS REPORT NO. 2015-101 FEBRUARY 2015 FLORIDA STATE UNIVERSITY NORTHWEST REGIONAL DATA CENTER DATA CENTER OPERATIONS Information Technology Operational Audit EXECUTIVE DIRECTOR OF THE NORTHWEST REGIONAL DATA

More information

e-governance Password Management Guidelines Draft 0.1

e-governance Password Management Guidelines Draft 0.1 e-governance Password Management Guidelines Draft 0.1 DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S.

More information

Department of Aviation Revenue Contract Management Performance Audit

Department of Aviation Revenue Contract Management Performance Audit Department of Aviation Revenue Contract Management Performance Audit March 2011 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City

More information

AUDITOR GENERAL WILLIAM O. MONROE, CPA

AUDITOR GENERAL WILLIAM O. MONROE, CPA AUDITOR GENERAL WILLIAM O. MONROE, CPA HILLSBOROUGH COUNTY DISTRICT SCHOOL BOARD LAWSON FINANCIALS MODULE Information Technology Audit SUMMARY To support its financial management needs, the Hillsborough

More information

Department of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government

Department of Information Technology Active Directory Audit Final Report. August 2008. promoting efficient & effective local government Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft

More information

O L A. Department of Employee Relations Department of Finance SEMA4 Information Technology Audit OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

O L A. Department of Employee Relations Department of Finance SEMA4 Information Technology Audit OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA Financial-Related Audit Department of Employee Relations AUGUST 29, 2002 02-57 Financial Audit Division The Office of the Legislative Auditor

More information

Memorandum. Audit Report No.: OAS-L-08-04 REPLY TO ATTN OF: Chief Financial Officer, CF-1 TO: INTRODUCTION AND OBJECTIVE

Memorandum. Audit Report No.: OAS-L-08-04 REPLY TO ATTN OF: Chief Financial Officer, CF-1 TO: INTRODUCTION AND OBJECTIVE '. 01/29/08 15:22 FAX 301 903 4656 CAPITAL REGION Q002 DOE F 1325.8 (s.9 3 25 United States Government Memorandum DATE: January 28, 2008 REPLY TO ATTN OF: SUBJECT: TO: IG-34 (A07TG029) Department of Energy

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM REPORT NO. 2015-007 AUGUST 2014 DEPARTMENT OF EDUCATION FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM Information Technology Operational Audit DEPARTMENT OF EDUCATION Pursuant to Article IX, Section

More information

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014

EVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014 U.S. Department of Energy Office of Inspector General Office of Audits and Inspections EVALUATION REPORT The Department of Energy's Unclassified Cybersecurity Program 2014 DOE/IG-0925 October 2014 Department

More information

10-13 MEMORIAL HEALTH SYSTEM IT BACKUP PROCESS PUBLIC REPORT CITY OF COLORADO SPRINGS OFFICE OF THE CITY AUDITOR JULY 22, 2010

10-13 MEMORIAL HEALTH SYSTEM IT BACKUP PROCESS PUBLIC REPORT CITY OF COLORADO SPRINGS OFFICE OF THE CITY AUDITOR JULY 22, 2010 CITY OF COLORADO SPRINGS OFFICE OF THE CITY AUDITOR 10-13 MEMORIAL HEALTH SYSTEM IT BACKUP PROCESS PUBLIC REPORT JULY 22, 2010 Denny Nester, MBA CPA CIA CGFM CFE CGAP Interim City Auditor Jacqueline Rowland,

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Guideline on Access Control

Guideline on Access Control CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0

More information

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF DATA SECURITY USING MOBILE DEVICES DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET January 2015 Doug A. Ringler, CPA, CIA AUDITOR

More information

Vice President of Information

Vice President of Information Name of Policy: Password security policy 1 Policy Number: Approving Officer: Responsible Agent: Technology Scope: 3 3364-65-07 President all University campuses New policy proposal Major revision of existing

More information

Division of IT Security Best Practices for Database Management Systems

Division of IT Security Best Practices for Database Management Systems Division of IT Security Best Practices for Database Management Systems 1. Protect Sensitive Data 1.1. Label objects containing or having dedicated access to sensitive data. 1.1.1. All new SCHEMA/DATABASES

More information

Craig Stroud Multnomah County Interim Auditor

Craig Stroud Multnomah County Interim Auditor Audit of SAP Identity and Access Management April 2009 Craig Stroud Multnomah County Interim Auditor Sarah Landis Deputy Auditor Audit Staff Judith DeVilliers Mark Ulanowicz We conducted this performance

More information